first off, your config looks good.
There are a few minor points which I would like to mention:
1- on your LAN, you hand out the wrong gateway to your clients. GW is 10.1.1.1 (the FGT), you specify 10.1.1.5.
2- routing: checked. Client routes to 10.1.1.1, FGT routes to 192.168.1.1, router routes to ISP. This will work.
3- Outbound traffic does not need NAT here, because the FGT is not a border router. Your other router will do NAT.
4- firewalling: checked. FGT knows about the LAN subnet ("directly connected"), and the transfer network to the router (same, "d.c."). Otherwise, the FGT will drop incoming traffic from a subnet it doesn't have a route to! This is called "reverse path fail" (Google is your friend).
5- policy: I take it that you described the source address object, not the policy. "Interface: any" in address object is not only correct, but recommended. "Interface: any" in a policy is a NO-GO! Technically, you can use a wildcard interface here but if you do, you will get yourself in trouble real soon. Please avoid if possible.
6- IIRC, one demand was to only allow outbound HTTP, HTTPS. You allow "service: ALL".
7- similar with UTM services: WF only demanded, WF is OFF but AV, AC is ON.
Yes, in real life, you would always use an AV protection, so YMMV.
So, task remaining are:
- get internet access going
- create an SSLVPN
- create a L2TP VPN (ouch!)
If internet access doesn't work, use the FGT CLI and ping some host (184.108.40.206). This way, you gather info whether access does work for some devices, or not at all.
ping 192.168.1.1 first, your router needs to answer this.
SSLVPN is mainly set up in "VPN > SSLVPN > Settings". If you use port 443 for SSLVPN, you cannot manage the FGT via WAN port (port15) anymore. Which might/might not be your plan.
Creating a VPN will always create a new, virtual interface. You need at least one policy from SSLVPN to your LAN for access.
Think about how to authorize your users. The easiest way is to create local users on the FGT. But, on full scale, you would connect the FGT to your MS-AD (=LDAP server) and use the existing user entries.
L2TP is ancient, insecure and only employed if absolutely necessary. Read up in the Admin Guide on how to set this up. Mainly it's one in the CLI (command line).
If you have further questions I'm confident everybody here on the forum will be glad to help you. We all have started with absolutely no plan.
"Kernel panic: Aiee, killing interrupt handler!"